Table of Contents
Advertisement
Configuring port isolation
Introduction to port isolation
Assigning ports to different VLANs is a typical way to isolate Layer 2 traffic for data privacy and security,
but this way is VLAN resource demanding. To save VLAN resources, you can use the port isolation
feature, which can isolate ports without using VLANs and allows for great flexibility and security.
For the isolated ports to communicate with a port outside isolation groups at Layer 2, you must configure
one uplink port for an isolation group.
The number of ports in an isolation group is not limited.
NOTE:
•
You cannot configure a link aggregation member port as the uplink port of an isolation group neither
can you assign the uplink port of an isolation group to a link aggregation group. If a port is configured
as a link aggregation member port and the uplink port of an isolation group at the same time, which is
allowed with some old version software, the link aggregation group configuration will take effect while
the port group configuration is removed for compatibility sake after you upgrade the configuration file.
For more information about link aggregation, see the chapter "Configuring Ethernet link aggregation."
Isolated ports only support MAC address learning, QoS actions accounting, filter deny, and car cir
•
committed-information-rate
H3C does not recommend that you configure Layer 2 protocols (such as GVRP) or Layer 3 protocols
•
(such as multicast and routing) on isolated ports. Doing so can cause forwarding anomaly or protocol
flapping.
Layer 2 traffic cannot be forwarded between ports in different VLANs. However, the Layer 2 traffic from
an isolated port can pass through the uplink port in the same isolation group unidirectionally even if they
belong to different VLANs.
Figure 30 Communication between ports in the same VLAN in port isolation
red discard, and traffic mirroring in the incoming direction of the actions.
91
Advertisement
Table of Contents
